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MyFirewall-(2 Interfaces) 
#!/bin/bash 


# Copyright (c) 2002 Pierre Burri 

# MyFirewall is free for personal use only. 

# Use this firewall at your own risks, | am NOT responsable if someone 
# is able to break through it and corrupt your system. 

# You have been warned! 

# 

# File Name : /etc/init.d/MyFirewall 

# Version :1.01-elop 

# Author : Pierre Burri, can be reached at pierre@globeall.de 


# This firewall is my own "soup" but inspired from the book 

# "Das Firewall Buch" from Wolfgang Barth, "Linux Firewalls" 
# second edition from Robert L. Ziegler, many articles and 

# my first firewall with ipchains. 


# Date  : 19-May-2001 
# Release : 05-Jun-2001 added forwarding for ICMP 
09-Jun-2001 added possibility to administer the server from 
a remote host (ssh) 
07-Jul-2001 ssh uses now only unprivileged ports 
10-Jul-2001 removes module ipchains if necessary (SUSE 7.2) 
change grep to "inet addr" (SUSE 7.2) 
added transparent proxy 
12-Jul-2001 use REDIRECT for transparent proxying 
"iptables -t nat -F" added when the firewall is 
stopped 
02-Nov-2001 added tests for icmp_xxx because some kernel 
parameters have disappeared with SuSE 7.3 
15-Nov-2001 added second ethernet card for ADSL, 
added a few new local variables 
24-Nov-2001 added a test if the script is run in a terminal 
12-Dez-2001 added MSS (Max Segment Size) correction for ADSL 
in the FORWARD chain 
20-Dez-2001 cleanup unnecessary test lines 
added a many more comments, the new chains www_for, 
renamed logdropsyn in logdropopen, echo-request in 
INPUT but with burst-limit, doesn't log netbios 
packets anymore etc... 
3-Jan-2002 service auth added in OUTPUT filter. 
TCP flags check added. New chains tcp_flags, 
spoofed_src_ip, spoofed_dst_ip, icom_in & 
icmp_out added. log end of nat table. 
Replaced com_out and com_for with www_serv. 
11-Apr-2002 - changed the grep of the IP Addr because of 
english (addr) and german (Adr). 
- because of SuSE 8.0 added variables if_config, 
net_stat and iptables 
- added variable allow_smtp & allow_http for more 
flexibility and test purposes 
15-Apr-2002 - removed eth1 for DSL. 
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with pppoe, only pppd is used and not eth1. 
- added variable allow_smtp_test 
7-Jun-2002 - fixed ping problem. 
8-Jun-2002 - added possibility of a permanent ssh entry. 
- added variable forwarding for the possibility 
to disable forwarding/masquerading functions. 
- all lan can be disabled. 
9-Jun-2002 - fixed bug with ssh remote entry. 
20-Jun-2002 - added variables allow_pop3 and allow_ftp for 
for pop3 server und ftp server. 
- for tests purposes added variables inside_C_lan 
& allow_cups_b. 
16-Jul-2002 - added Time Server entry and variable 


Usage :/etc/init.d/MyFirewall cmd [ext-IF] [dis|ena|IP-Address] 


1. param: cmd = start or stop Or restart Or status. 
2. param: ext-IF = ppp0 for ADSL/Modem, ipppO - ipppn for ISDN. 
3. param: ssh-entry. If there is no 3. parameter or 3. parameter 

is "dis", then ssh from outside is disabled (default). 

If 3. argument is "ena", then ssh from outside is 

enabled. If 3. parameter is an IP-Address, then only 

this IP-Address can enter through the firewall. 


MyFirewall should be called by /etc/ppp/ip-up.local 
don't forget to make it execubale: chmod 755 /etc/ppp/ip-up.local 


ip-up.local should have the following lines: 


#!/bin/bash 
/etc/init.d/MyFirewall restart $1 


It is probably a good idea, especially if you run a proxy like 
squid, to start as well a cache DNS Server (bind9 or bind8) 
beside the firewall. Don't forget to put the DNS Servers of your 
ISP (Provider) in the configuration file of /etc/named.conf 
(the following example is for T-DSL): 
forwarders { 217.230.170.127; 194.25.2.129; }; 
and configure carefully who can access your name server, eg.: 


allow-query { 127.0.0.1; 192.168.10.0/24; }; 
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# Script Result variables 


# The following two variables were taken from /etc/rc.status 
if [ STERM = "linux" -o STERM = "xterm" ] 
then 
rc_done="\015\033[80C\033[10D\033[1; 32mdone\033[m\017" 
rc_failed="\015\033[80C\033 [10D\033 [1; 3lmfailed\033[m\017" 
else 
rc_done="done" 
rc_failed="failed" 
fi 
# NOTE: Variables with *** in comments are have to be adapted 


# the following 3 variables have to be eventually adapded if "ifconfig" or 
# "netstat" or "iptables" are not in the same path on your linux distribution. 
# These are set for SUSE Linux 8.0 


if_config=/sbin/ifconfig 
net_stat=/bin/netstat 
iptables=/usr/sbin/iptables 


# Definition of local variables. 


#***"ssh_rip" allow to control if a remote connection through SSH to this 

# host is possible. The possible values are "dis" (disabled) or "ena" 

# (enabled). The value of "ssh_rip" is overwritten, wenn an IP-Address is given 
# as a third paramater at the start of the firewall. 

ssh_rip=ena 


# *** do you want to allow access to your Web server (Apache) from outside? 
# default = no 
allow_http=no 


# *** do you want to allow access to your Mail server (Sendmail, Postfix, Qmail) from 
# outside? 

# default = no 

allow_smtp=no 


# the following variable is only for SMTP-Test purposes 
allow_smtp_test=no 


# *** do you want to allow access to your POP-3 server (qpopper) 
# from outside? 

# default = no 

allow_pop3=no 


# *** do you want to allow access to your FTP server from outside? 
# default = no 

allow_ftp=no 

# is your firewall inside of aclass C lan? MyFirewall is thought to 

# protect a lan from the Internet. But, mainly for test purposes, it is 
# possible to setup MyFirewall to protect a single host inside of a 

# class C lan. 
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# If you set inside_C_lan=yes, probably def_ext_int will be = etho, 

# lanl & lan2 will be disable and forwarding will be = no. 

# Be sure you understand what you are doing before you change this variable! 
# default = no 

inside_C_lan=no 


# do you want to allow CUPS broadcasts? 

# this variable works only if inside_C_lan=yes and is mainly thought 
# for tests purposes. 

# default = no 

allow_cups_b=no 


#*** def_ext_int = default external interface (for the firewall's first start) 
# ipppO - ipppn for ISDN, pppO for T-DSL/ADSL or Modems 
def_ext_int=ppp0 


# *** does this firewall run on a router? (this means that forwarding and 
# masquarading is necessary) 

# default = yes, otherwise set it to no. 

forwarding=yes 


# *** the variable "adsl_router" is only necessary if you use this firewall 
# on a router with a adsl/t-dsl connection. 


# If you do not use this host as a adsl router, set "adsl_router" to no. 
adsl_router=yes 


# *** Local IP address of this host where this firewall is running 
my_host1=192.168.70.9 
my_host2=192.168.71.9 


#*** lant & lan2 (local area network) are for your regular client-hosts, 
# adapt it to your own needs 


# if you do not have a lan at all, then comment out (#) lanl & lan2. 
lan1=192.168.70.0/24 


# *** if you do not have a second subnet, just remove "lan2" here or 


# comment it out. 
lan2=192.168.71.0/24 


# *** int_if1 (internal interface 1 is for the clients) 
int_ifl=ethl 
int_if2=eth2 


# Unprivileged ports 
unpriv_p=1024: 


# trace_p are the ports for "traceroute" 
trace_p=33434:33523 


# *** IP-Address for a transparent Proxy Server (Squid) 
# Comment the line "proxy" if you do not have a transparent Proxy Server 
#proxy=Smy_host 


# Listening Port for the Proxy Server 
proxy_p=3128 
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# Time Server ntp1.ptb.de 
timeserver=192.53.103.103 


# anything = The Internet 
any=0/0 


# list of illegal IP addresses 
class_a=10.0.0.0/8 
class_b=172.16.0.0/12 
class_c=192.168.0.0/16 
class_d_multicast=224.0.0.0/4 
class_e reserved=240.0.0.0/5 
lLoopback=127.0.0.0/8 
broadcast_src=0.0.0.0 
broadcast_dst=255.255.255.255 


# Determines all the interfaces 


[| eee CeO OEY 
if [ $1 = start ] 
then 
# Determines the ISDN or ADSL interface 
if [ $2 ] 
then 
www_if=$2 
else 
www_if=Sdef_ext_int 
fi 


# Makes a list of all used interfaces 
all_if="Swww_if S$int_ifl S$int_if2" 


# Determines the local IP on the external interface to Internet 
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www_ip=$ ($if_config $www_if |grep "inet [Aa]d" |cut -d: -f 2 \ 


[cut -d" " -f 1) 


# determines if a remote connection with SSH for administration purposes 


# is allowed. ssh_rip = ssh remote IP address 
if. F $3] 
then 
ssh_rip=$3 
fi 
fi 
case "$1" in 


echo MyFirewall: Interface=$www_if Local-IP-Address=$www_ip 


# Turning on dynamic kernel parameters 


echo 1 > /proc/sys/net/ipv4/tcp_syncookies 


echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 


for f in Sall_if; do 


echo 1 > /proc/sys/net/ipv4/conf/$f/rp_filter 
echo 0 > /proc/sys/net/ipv4/conf/$f/accept_redirects 
echo 0 > /proc/sys/net/ipv4/conf/$f/accept_source_route 
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echo 0 > /proc/sys/net/ipv4/conf/$f/bootp_relay 
# echo 0 > /proc/sys/net/ipv4/conf/$f/log_martians 
done 
echo 1 > /proc/sys/net/ipv4/conf/Swww_if/log_martians 


# the following parameters don't exist anymore with SuSE 7.3 and onwards 
file_exists="/proc/sys/net/ipv4/icmp_destunreach_rate" 
test -e Sfile_exists && echo 5 > S$file_exists 


file_exists="/proc/sys/net/ipv4/icmp_echoreply_rate" 
test -e Sfile_exists && echo 5 > S$file_exists 


file_exists="/proc/sys/net/ipv4/icmp_paramprob_rate" 
test -e Sfile_exists && echo 5 > S$file_exists 


file_exists="/proc/sys/net/ipv4/icmp_timeexceed_rate" 
test -e S$file_exists && echo 10 > S$file_exists 


# Load the module ip_tables and remove ipchains if allready loaded 
modprobe -r ipchains 
modprobe ip_tables 


# Set default policies 


echo "Setting up firewall rules..." 
Siptables -P INPUT DROP 
$iptables -P OUTPUT DROP 
$iptables -P FORWARD DROP 


if [ S$forwarding = "yes" ] 

then 
Siptables -t nat -P PREROUTING DROP 
Siptables -t nat -P POSTROUTING DROP 
$iptables -t nat -P OUTPUT DROP 

T 


# Flushes all rules of all policies + nat table 
$iptables -F 
$iptables -t nat -F 


HeHHHHHHaeHHCUSTOM Chain Sai ee eee 
Siptables -N logdropspoof 

Siptables -N logdropopen 

Siptables -N tcp_flags 

Siptables -N icmp_in 

Siptables -N icmp_out 

Siptables -N spoofed_src_ip 

Siptables -N spoofed_dst_ip 

Siptables -N com_check 

Siptables -N www_serv 


*** logdropspoof chain *** 

(log & drop spoofed packages) 
$iptables -A logdropspoof -j LOG --log-prefix "spoofed-ip " 
$iptables -A logdropspoof -j DROP 


*** logdropopen chain *** 
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(log & drop new connections) 
$iptables -A logdropopen -j LOG --log-prefix "new-or-open " 
$iptables -A logdropopen -j DROP 


*** tep_flags chain *** 
(check the validity of tcp flags) 
# 1st field = which flags are checked 
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# 2nd field = which flags are set 
Siptables -A tcp_flags -p tcp --tcp-flags ALL NONE -j DROP 
$iptables -A tcp_flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP 
$iptables -A tcp_flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP 
$iptables -A tcp_flags -p tcp --tcp-flags FIN,RST FIN,RST -j DROP 
$iptables -A tcp_flags -p tcp --tcp-flags ACK,FIN FIN -j DROP 
$iptables -A tcp_flags -p tcp --tcp-flags ACK,PSH PSH -j DROP 
$iptables -A tcp_flags -p tcp --tcp-flags ACK,URG URG -j DROP 
*** icmp_in chain *** 
(accepts some icmp types) 
$iptables -A icmp_in -p icmp --fragment -j LOG --log-prefix \ 
"fragmented " 
$iptables -A icmp_in -p icmp --fragment =] DROP 
$iptables -A icmp_in -p icmp icmp-type echo-reply -j ACCEPT 
$iptables -A icmp_in -p icmp icmp-type echo-request \ 

-m limit --limit 5/minute -j ACCEPT 
$iptables -A icmp_in -p icmp icmp-type echo-request j DROP 
$iptables -A icmp_in -p icmp icmp-type destination-unreachable \ 

-j ACCEPT 
$iptables -A icmp_in -p icmp icmp-type source-quench -j ACCEPT 
$iptables -A icmp_in -p icmp icmp-type time-exceeded -j ACCEPT 
$iptables -A icmp_in -p icmp icmp-type parameter-problem \ 

-j ACCEPT 

*** icmp_out chain **** 

(accepts some icmp types) 
# accept some ICMP 
$iptables -A icmp_out -p icmp icmp-type echo-reply -j ACCEPT 
$iptables -A icmp_out -p icmp icmp-type echo-request -j ACCEPT 
$iptables -A icmp_out -p icmp icmp-type destination-unreachable 

-j ACCEPT 
$iptables -A icmp_out -p icmp icmp-type fragmentation-needed \ 

-j ACCEPT 
$iptables -A icmp_out -p icmp icmp-type source-quench \ 

-j ACCEPT 
$iptables -A icmp_out -p icmp icmp-type time-exceeded \ 

-j ACCEPT 
$iptables -A icmp_out -p icmp icmp-type parameter-problem \ 

-j ACCEPT 
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*“* spoofed_src_ip chain *** 
(list of invalid source IP addresses) 


# The following lines are taken from www. linux-firewall-tools/linux 

# Refuse addresses defined as reserved by the IANA 

# IANA = Internet Assigned Numbers Authority (www.iana.org) 
# 

# 


Note: this list includes the loopback, multicast, 
and reserved addresses. 
# O.*.*.*- Can't be blocked for DHCP users. 


$iptables -A spoofed_src_ip -s Sclass_a -j logdropspoof 
$iptables -A spoofed_src_ip -s $class_b -j logdropspoof 

if [ $inside_C_lan = "no" ] 

then 

$iptables -A spoofed_src_ip -s Sclass_c -j logdropspoof 

fi 
$iptables -A spoofed_src_ip -s $class_d_ multicast -j logdropspoof 
$iptables -A spoofed_src_ip -s $class_e_reserved j logdropspoof 
$iptables -A spoofed_src_ip -s Sloopback -j logdropspoof 
$iptables -A spoofed_src_ip -s 0.0.0.0/8 -j logdropspoof 
$iptables -A spoofed_src_ip -s 169.254.0.0/16 -j logdropspoof 
$iptables -A spoofed_src_ip -s 192.0.2.0/24 -j logdropspoof 
$iptables -A spoofed_src_ip -s Ş$broadcast_src -j logdropspoof 

*** spoofed_dst_ip chain *** 
(list of invalid destination IP addresses) 

Siptables -A spoofed_dst_ip -d $broadcast_dst -j logdropspoof 


Siptables -A spoofed_dst_ip -p ! udp -d Sclass_d_multicast \ 
-j logdropspoof 


*** com_check chain *** 
(common check to INPUT & FORWARD chains) 


# Checks tcp flags 
$iptables -A com_check -p tcp -j tcp_flags 


# Addresse Spoofing: no packets comming in schould claim to be from lan 1 or 2 
if [ S$lanl ] 
then 
$iptables -A com_check -i $www_if -s S$lanl -j logdropspoof 


if [ $lan2 ] 


$iptables -A com_check -i Swww_if -s $lan2 -j logdropspoof 
fai 


$iptables -A com_check -i Swww_if -j spoofed_src_ip 
$iptables -A com_check -i Swww_if -j spoofed_dst_ip 


# reject all UDP connections started from the Internet 
# on listening port >= 1024, (for eg. NFS) 
# but except port related to DNS 
for udp_p in $($net_stat -nlpu | grep -v named | \ 
cut -d: -f2 | cut -d" " -f1 | \ 
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sed -n 
ak of 


fi 
done 


Sudp_p -ge 1024 
$iptables -A com_check -p udp -i Swww_if 


'/ [0 
]3 


-9].*/p'); do 


then 


# reject anything + log to X Window ports 


$iptables -A com_check -p tcp 


-i Swww_if --dport 


# reject + log anything to Open Window port 


Siptables -A com_check -p tcp 


-i Swww_if -—-dport 


# reject + log anything NFS & RPC port 
# udp ports are already taken care above 


Siptables -A com_check -p tcp 


Siptables -A com_check -p tcp 


-i Swww_if --dport 


-i Swww_if -—-dport 


*** www_serv Chain*** 


(output and forward to the Internet Services) 
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—-dport Sudp_p \ 
-j logdropopen 


6000:6063 \ 
-j logdropopen 


2000 \ 
-j logdropopen 


2049 \ 

-j logdropopen 
LIIL 
-j logdropopen 


\ 


# DNS 

$iptables -A www_serv -p tcp --sport Sunpriv_p --dport domain \ 
-j ACCEPT 

$iptables -A www_serv -p udp --sport Sunpriv_p --dport domain \ 
-j ACCEPT 

# HTTP & HTTPS (WWW) 

$iptables -A www_serv -p tcp --sport Sunpriv_p --dport http \ 
-j ACCEPT 

$iptables -A www_serv -p tcp --sport Sunpriv_p --dport https \ 
-j ACCEPT 

# IMAP, POP3 & SMTP (Mail) 

$iptables -A www_serv -p tcp --sport Sunpriv_p --dport imap \ 
-j ACCEPT 

$iptables -A www_serv -p tcp --sport Sunpriv_p --dport pop3 \ 
-j ACCEPT 

$iptables -A www_serv -p tcp --sport Sunpriv_p --dport smtp \ 
-j ACCEPT 

# FTP (outgoing, control port) 

$iptables -A www_serv -p tcp --sport Sunpriv_p --dport ftp \ 
-j ACCEPT 


# FTP DATA (outgoing, passive data connection) 
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$iptables -A www_serv -p tcp --sport Sunpriv_p --dport Sunpriv_p \ 


-j ACCEPT 

# SSH 

$iptables -A www_serv -p tcp --sport Sunpriv_p --dport ssh \ 
-j ACCEPT 


# Traceroute 
$iptables -A www_serv -p udp --sport Sunpriv_p --dport Strace_p \ 


-j ACCEPT 
# Auth 
Siptables -A www_serv -p tcp --sport Sunpriv_p --dport auth \ 
-j ACCEPT 
# Time Server 
$iptables -A www_serv -p udp --sport ntp -d S$timeserver \ 
—-dport ntp -j ACCEPT 


*** INPUT chain *** 


# accept everything comming from loopback device 
$iptables -A INPUT -i lo -j ACCEPT 


# accept everything comming from the lan 1 & 2 


if [ $lan1i ] 
then 
$iptables -A INPUT -i $int_if1 -s Slanl -j ACCEPT 
fi 
if [ $lan2 ] 
then 
$iptables -A INPUT -i $int_if2 -s Slan2 -j ACCEPT 
fi 


# accepts some icmp_types 
$iptables -A INPUT -i Swww_if -p icmp -j icmp_in 


# checks TCP Flags , logand drop all possible known spoofed adresses 
$iptables -A INPUT -i Swww_if -j com_check 


# Transparent Proxy for all clients 
if [ $proxy ] 
then 
$iptables -t nat -A PREROUTING -i $int_ifl -p tcp \ 
--sport Sunpriv_p -d ! $proxy --dport 80 \ 
-j REDIRECT --to-port Sproxy_p 
fi 
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#Allow access to an SSH server?. 
# Administration entry: ssh only possible with a defined IP address or "ena" 


if [ Sssh_rip != "dis" ] 
then 
if [ S$ssh_rip = "ena" ] 
then 


$iptables -A INPUT -p tcp -i Swww_if -s Sany \ 
—-sport Sunpriv_p \ 
-d Swww_ip --dport ssh \ 
-m state --state NEW -j ACCEPT 
else 
$iptables -A INPUT -p tcp -i $www_if -s $ssh_rip \ 
—-sport Sunpriv_p \ 
-d Swww_ip --dport ssh \ 
-m state --state NEW -j ACCEPT 
fi 
fi 


# Allow access to a mail server? 


if [ Sallow_smtp = "yes" ] 
then 
$iptables -A INPUT -p tcp -i Swww_if -s Sany \ 
—-sport Sunpriv_p \ 
-d Swww_ip --dport smtp \ 


-m state --state NEW -j ACCEPT 
fi 


# Allow access to a POP-3 server? 


if [ Sallow_pop3 = "yes" ] 
then 
$iptables -A INPUT -p tcp -i $www_if -s $any \ 
--sport $unpriv_p 
-d $www_ip --dport pop3 \ 


-m state --state NEW -j ACCEPT 
fi 


# Allow access to a FTP server? 
if [ $allow_ftp = "yes" ] 
then 
$iptables -A INPUT -p tcp -i $www_if -s $any \ 
—-sport Sunpriv_p \ 
-d Swww_ip --dport ftp \ 
-m state --state NEW -j ACCEPT 
$iptables -A INPUT -p tcp -i Swww_if -s Sany \ 
—-sport Sunpriv_p \ 
-d Swww_ip --dport Sunpriv_p \ 
-m state --state NEW -j ACCEPT 


fi 


# Allow access to Web server? 


if [ $allow_http = "yes" ] 
then 
$iptables -A INPUT -p tcp -i $www_if -s $any \ 
—-sport Sunpriv_p \ 
-d $www_ip --dport http \ 
-m state --state NEW -j ACCEPT 
$iptables -A INPUT -p tcp -i Swww_if -s Sany \ 
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—-sport Sunpriv_p \ 

-d S$www_ip --dport https x 

-m state --state NEW -j ACCEPT 
fi 


# Are we firewalling a host in a C Lan? 


if [ Sinside_C_lan = "yes" ] 
then 
# Allow CUPS broadcasts? 
if [ Sallow_cups_b = "yes" ] 
lan_b=$(echo Smy_host |cut -d. -f 1-3).255 
then 
$iptables -A INPUT -p udp -i Swww_if --sport 631 \ 
-d Slan_b --dport 631 -j ACCEPT 
fi 
fi 


# accept replies only when the connections has been started by oneself 
$iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT 


# Drop without logging: NetBios,Windows,CUPS,DHCP 

$iptables -A INPUT -i Sint_ifl -p udp --dport 137:138 -j DROP 
$iptables -A INPUT -i Sint_ifl -p udp --dport 631 -j DROP 
$iptables -A INPUT -i Sint_ifl -p udp --sport 60002:60004 -j DROP 
$iptables -A INPUT -i Sint_ifl -p udp -d 255.255.255.255 -j DROP 


if [ $lan2 ] 
then 
$iptables -A INPUT -i $int_if2 -p udp --dport 137:138 -j DROP 
$iptables -A INPUT -i $int_if2 -p udp --dport 631 -j DROP 


$iptables -A INPUT -i $int_if2 -p udp --sport 60002:60004 -j DROP 
$iptables -A INPUT -i Sint_if2 -p udp -d 255.255.255.255 -j DROP 
FL 


#Log and drop New Connections attempt from Internet 
$iptables -A INPUT -m state --state NEW, INVALID \ 
-j LOG --log-prefix "in-new " 


$iptables -A INPUT -m state --state NEW, INVALID -j DROP 


# log all surviving incomming packages 
$iptables -A INPUT -j LOG --log-prefix "end-in " 


*** QUTPUT chain *** 


# accept loopback, lan 1 & 2 
$iptables -A OUTPUT -o lo -j ACCEPT 


if [ $lanl ] 
then 
$iptables -A OUTPUT -o Sint_ifl -s $my_host1 -d $lan1 \ 
-j ACCEPT 
fi 
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if [ $lan2 ] 
then 
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Siptables -A OUTPUT -o Sint_if2 -s S$my_host2 -d Slan2 \ 


fi 
# Checks TCP flags integrity 
$iptables -A OUTPUT -p tcp -j tcp_flags 


# Allow some ICMP types 
$iptables -A OUTPUT -p icmp -j icmp_out 


# Doesn't allow illegal destination IP addresses 
$iptables -A OUTPUT -j spoofed_dst_ip 


# just for internal mail server tests 
if [ Sallow_smtp_test = "yes" ] 
then 


$iptables -A OUTPUT -p tcp -s Swww_ip --sport 
-d Sany --dport Sunpriv_p 


$iptables -A OUTPUT -p tcp -s Swww_ip --sport 


-d $any --dport smtp 
Fi 


-j ACCEPT 


smtp \ 
-j ACCEPT 


smtp \ 
-j ACCEPT 


# outgoing established & related connections 
$iptables -A OUTPUT -o Swww_if -m state \ 


$iptables -A OUTPUT -o $www_if -s $www_ip -m state \ 


—-state NEW 


$iptables -A OUTPUT -o $www_if -m state \ 
—-state NEW, INVALID 


—-state ESTABLISHED, RELATED 


-j ACCEPT 


-j www_serv 


-j DROP 


Page 13 


Linux-Kurs, Samba-Server - Copyright © 5. November 2002, Pierre Burri -Michel Bisson http://www. linux-age.com 


# drop netbios packets without logging 
$iptables -A OUTPUT -p udp --sport 137:138 -j DROP 
$iptables -A OUTPUT -p tcp --sport 139 -j DROP 


# log all surviving outgoing packets 
$iptables -A OUTPUT -j LOG --log-prefix "end-out " 


** NAT / MASQUERADING *** 


if [ S$forwarding = "yes" ] 
then 


# Masquerade lan1 ---> Internet 


if [ $lanl ] 
then 
Siptables -t nat -A POSTROUTING -o Swww_if -s Slanl \ 
-j MASQUERADE 
fi 


# Masquerade lan2 ---> Internet 


if [ $lan2 ] 
then 
$iptables -t nat -A POSTROUTING -o Swww_if -s Slan2 \ 
-j MASQUERADE 
fi 


# accept anything going to and from local loopback (lo) 
$iptables -t nat -A OUTPUT -o lo -j ACCEPT 


# 
$iptables -t nat -A OUTPUT -o Swww_if -s Swww_ip -j ACCEPT 


# 
if [ S$lanl ] 
then 
$iptables -t nat -A OUTPUT -o $int_ifl \ 
-s Smy_host1 -d $lanl -j ACCEPT 
fi 


# 
if [ $lan2 ] 
then 
$iptables -t nat -A OUTPUT -o $int_if2 \ 
-s Smy_host2 -d $lan2 -j ACCEPT 


fi 
# 
$iptables -t nat -A POSTROUTING -o lo -j ACCEPT 
$iptables -t nat -A POSTROUTING -o $www_if -s Swww_ip -j ACCEPT 


$iptables -t nat -A POSTROUTING -o Sint_ifl -s $my_host1 -j ACCEPT 
$iptables -t nat -A POSTROUTING -o Sint_if2 -s Smy_host2 -j ACCEPT 


$iptables -t nat -A POSTROUTING -o Sint_ifl -s $lan2 -j ACCEPT 
$iptables -t nat -A POSTROUTING -o Sint_if2 -s Slanl -j ACCEPT 
# 

if [ $lanl ] 

then 


$iptables -t nat -A PREROUTING -i $int_if1 \ 
-s Slanl -j ACCEPT 
fi 
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# 
if [ $lan2 ] 
then 
$iptables -t nat -A PREROUTING -i S$int_if2 \ 
-s Şlan2 
fi 


-j ACCEPT 
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# Allow access to a mail server? 


if [ Sallow_smtp = "yes" ] 
then 
$iptables -t nat -A PREROUTING -p tcp -i Swww_if \ 
-s Sany --sport smtp \ 
-d Swww_ip --dport smtp -j ACCEPT 
$iptables -t nat -A PREROUTING -p tcp -i Swww_if \ 
-s Sany --sport Sunpriv_p \ 
-d Swww_ip --dport smtp -j ACCEPT 
fi 
# Allow SSH? 
if [ $ssh_rip != "dis" ] 
then 
if [ S$ssh_rip = "ena" ] 
then 
$iptables -t nat -A PREROUTING -p tcp -i Swww_if \ 
-s Sany --sport Sunpriv_p \ 
-d Swww_ip --dport ssh -j ACCEPT 
$iptables -t nat -A PREROUTING -p tcp -i $www_if \ 
-s Sany --sport Sunpriv_p \ 
-d $www_ip --dport $unpriv_p -j ACCEPT 
else 
$iptables -t nat -A PREROUTING -p tcp -i $www_if \ 
-s Sssh_rip --sport Sunpriv_p \ 
-d $www_ip --dport ssh -j ACCEPT 
$iptables -t nat -A PREROUTING -p tcp -i $www_if \ 
-s Sssh_rip --sport Sunpriv_p \ 
-d $www_ip --dport Sunpriv_p -j ACCEPT 
fi 
fi 


#Accept echo requests ICMP packets 


$iptables -t nat -A PREROUTING -p icmp icmp-type \ 
echo-request -j ACCEPT 

#Drop the Netbios packets without logging 

$iptables -t nat -A OUTPUT -p udp --sport 137:138 -j DROP 

$iptables -t nat -A OUTPUT -p udp --dport 137:138 -j DROP 

$iptables -t nat -A PREROUTING -p udp --sport 137:138 -j DROP 

$iptables -t nat -A PREROUTING -p udp --dport 137:138 -j DROP 


# Log the surviving packets 


$iptables -t nat -A PREROUTING 


-j LOG --log-prefix 
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$iptables -t nat -A POSTROUTING -j LOG --log-prefix "end-nat-post " 
Siptables -t nat -A OUTPUT -j LOG --log-prefix "end-nat-out " 


** FORWARD chain *** 


# turn on IP Forwarding and Dynamic Address 


echo 1 > /proc/sys/net/ipv4/ip_forward 
echo 1 > /proc/sys/net/ipv4/ip_dynaddr 


# correction of MSS (Max Segment Size) for ADSL clients 
# 1452 Bytes + 40 Bytes (TCP Header) + 8 Bytes (PPPoE) = 1500 Bytes 


if [ Sadsl_router = "yes" ] 
then 
$iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 
=] TCPMSS --clamp-mss-to-pmtu 
fi 
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#Forward related Established Connection responses from outside 
$iptables -A FORWARD -i Swww_if -o Sint_ifl \ 
-m state --state ESTABLISHED,RELATED -j ACCEPT 


$iptables -A FORWARD -i S$int_ifl -o $www_if \ 
-m state --state ESTABLISHED, RELATED -j ACCEPT 


if [ $lan2 ] 
then 
$iptables -A FORWARD -i Swww_if -o S$int_if2 \ 
-m state --state ESTABLISHED, RELATED -j ACCEPT 


$iptables -A FORWARD -i S$int_if2 -o S$www_if \ 
-m state --state ESTABLISHED, RELATED -j ACCEPT 
fi 


# Log and drop all New connections from Internet 

$iptables -A FORWARD -i $www_if -o $int_if1 \ 
-m state --state NEW, INVALID \ 
-j LOG --log-prefix "forw-drop " 


$iptables -A FORWARD -i $www_if -o $int_if1 \ 
-m state --state NEW, INVALID -j DROP 
if [ $lan2 ] 
then 
$iptables -A FORWARD -i $www_if -o $int_if2 \ 
-m state --state NEW, INVALID \ 
-j LOG --log-prefix "forw-drop " 


$iptables -A FORWARD -i $www_if -o Sint_if2 \ 
-m state --state NEW, INVALID -j DROP 
fi 


# allow some ICMP types 
$iptables -A FORWARD -p icmp -j icmp_out 


# checks TCP Flags and spoofed IPs 
$iptables -A FORWARD -i Swww_if -j com_ check 
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# Forward services initiated from lans: lan1&2 ----> Internet 


if [ $lanl ] 
then 
$iptables -A FORWARD -i Sint_ifl -s S$lanl -o Swww_if \ 
-m state —-state NEW -j www_serv 
fi 
if [ $lan2 ] 
then 
$iptables -A FORWARD -i Sint_if2 -s S$lan2 -o Swww_if \ 
-m state —-state NEW -j www_serv 
Ei 


# Forward all packets from Lan1 to Lan2:lan1 ----> lan2 
if [ S$lanl -a $lan2 ] 


then 
$iptables -A FORWARD -i $int_ifl -s $lanl -o $int_if2 \ 
-d $lan2 -j ACCEPT 
$iptables -A FORWARD -i $int_if2 -s $lan2 -o $int_if1 \ 
-d $lan1 -j ACCEPT 
fi 


# Don't show the rejected UDP-Packets 
$iptables -A FORWARD -p udp --sport 1024: -j DROP 


# catch all surviving packets for logging 
$iptables -A FORWARD -j LOG --log-prefix "end-forw " 


else 
# Turn OFF forwarding and dynamic adressing 
echo 0 > /proc/sys/net/ipv4/ip_forward 
echo 0 > /proc/sys/net/ipv4/ip_dynaddr 
fi 


echo -e "$rc_done" 


ee 
vv 
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stop) 
echo -n "Shutting down firewall rules. " 


# Turning off IP Forwarding 
echo 0 > /proc/sys/net/ipv4/ip_forward 


# Set default policies 

$iptables -P INPUT ACCEPT 
Siptables -P OUTPUT ACCEPT 
$iptables -P FORWARD DROP 


Siptables -t nat -P PREROUTING ACCEPT 
$iptables -t nat -P POSTROUTING ACCEPT 
Siptables -t nat -P OUTPUT ACCEPT 


# Flushing(clearing) all rules of all tables 
Siptables -F 
Siptables -t nat -F 


# Delete customized chains 
$iptables -X 


echo -e "Src_done" 


ee 
v7 


restart) 
$0 stop && $0 start $2 $3 || echo -e " $rc_failed" 


. o 
ET 


status) 
# Show all rules of all tables 
$iptables -nvL 
echo " W 
echo "—---— *** NAT-TABLE *** " 
echo " W 
$iptables -t nat -nvL 


ee 
v7 


*) 
# Display error if arguments syntax is incorrect 
echo -n "Usage: $0 {start |stop|restart|status}" 
echo -e "Srce_failed" 
exit 1 


esac 


exit 0 
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